EUVD-2025-21386

| CVE-2025-53639 CRITICAL
2025-07-14 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 16, 2026 - 09:43 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 09:43 euvd
EUVD-2025-21386
CVE Published
Jul 14, 2025 - 20:15 nvd
CRITICAL 9.8

Tags

SQLi Java Metersphere

Description

MeterSphere is an open source continuous testing platform. Prior to version 3.6.5-lts, the sortField parameter in certain API endpoints is not properly validated or sanitized. An attacker can supply crafted input to inject and execute arbitrary SQL statements through the sorting functionality. This could result in modification or deletion of database contents, with a potential full compromise of the application’s database integrity and availability. Version 3.6.5-lts fixes the issue.

Analysis

CVE-2025-53639 is a critical SQL injection vulnerability in MeterSphere's API sorting functionality where the sortField parameter lacks proper input validation and sanitization. All versions prior to 3.6.5-lts are affected, allowing unauthenticated remote attackers to execute arbitrary SQL statements and completely compromise database integrity, availability, and confidentiality. This is a network-exploitable vulnerability with no authentication required and high real-world risk.

Technical Context

The vulnerability exists in MeterSphere (CPE: cpe:2.3:a:metersphere:metersphere:*:*:*:*:*:*:*:*), an open-source continuous testing platform written in Java. The root cause is classified under CWE-89 (SQL Injection), specifically improper neutralization of special elements used in an SQL command. The sortField parameter in multiple API endpoints is passed directly into SQL ORDER BY clauses or similar database query construction without parameterized queries or input validation. The application fails to use prepared statements with bound parameters, instead concatenating user-supplied input directly into dynamic SQL queries. This is a classic second-order or direct SQL injection vulnerability in the sorting/filtering layer.

Affected Products

[{'product': 'MeterSphere', 'vendor': 'MeterSphere', 'affected_versions': '< 3.6.5-lts', 'patched_version': '3.6.5-lts', 'cpe': 'cpe:2.3:a:metersphere:metersphere:*:*:*:*:*:*:*:*', 'product_type': 'Open-source continuous testing platform', 'affected_endpoints': 'Multiple API endpoints containing sortField parameter'}]

Remediation

[{'type': 'Patch', 'action': 'Upgrade MeterSphere to version 3.6.5-lts or later', 'priority': 'CRITICAL', 'details': 'The patched version 3.6.5-lts implements proper input validation and sanitization of the sortField parameter, likely through parameterized queries, allowlist validation, or input escaping.'}, {'type': 'Immediate Mitigation', 'action': 'If immediate patching is not possible, implement WAF rules to block requests containing SQL keywords in sortField parameter values', 'details': 'Block requests where sortField contains: UNION, SELECT, DROP, INSERT, UPDATE, DELETE, OR, AND, --, /*. This is a temporary measure only.'}, {'type': 'Detection', 'action': 'Monitor API access logs for suspicious sortField values containing SQL syntax or special characters', 'details': 'Search for patterns: semicolons, comment sequences (--, /*), SQL keywords, UNION statements in sortField parameter logs.'}, {'type': 'Access Control', 'action': 'If running vulnerable versions, restrict network access to MeterSphere APIs to trusted internal networks only', 'details': 'Disable external/internet-facing access until patching is complete.'}]

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: 0

Share

EUVD-2025-21386 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy